1 /* ***** BEGIN LICENSE BLOCK ***** 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 3 * 4 * The contents of this file are subject to the Mozilla Public License Version 5 * 1.1 (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * http://www.mozilla.org/MPL/ 8 * 9 * Software distributed under the License is distributed on an "AS IS" basis, 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 11 * for the specific language governing rights and limitations under the 12 * License. 13 * 14 * The Original Code is the Netscape security libraries. 15 * 16 * The Initial Developer of the Original Code is 17 * Netscape Communications Corporation. 18 * Portions created by the Initial Developer are Copyright (C) 2000 19 * the Initial Developer. All Rights Reserved. 20 * 21 * Contributor(s): 22 * Ian McGreer <mcgreer (at) netscape.com> 23 * Javier Delgadillo <javi (at) netscape.com> 24 * 25 * Alternatively, the contents of this file may be used under the terms of 26 * either the GNU General Public License Version 2 or later (the "GPL"), or 27 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 28 * in which case the provisions of the GPL or the LGPL are applicable instead 29 * of those above. If you wish to allow use of your version of this file only 30 * under the terms of either the GPL or the LGPL, and not to allow others to 31 * use your version of this file under the terms of the MPL, indicate your 32 * decision by deleting the provisions above and replace them with the notice 33 * and other provisions required by the GPL or the LGPL. If you do not delete 34 * the provisions above, a recipient may use your version of this file under 35 * the terms of any one of the MPL, the GPL or the LGPL. 36 * 37 * ***** END LICENSE BLOCK ***** */ 38 39 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" 40 41 #include <cert.h> 42 #include <certdb.h> 43 #include <pk11pub.h> 44 #include <secerr.h> 45 46 #include "base/logging.h" 47 #include "crypto/nss_util_internal.h" 48 #include "crypto/scoped_nss_types.h" 49 #include "net/base/net_errors.h" 50 #include "net/cert/x509_certificate.h" 51 #include "net/cert/x509_util_nss.h" 52 53 #if !defined(CERTDB_TERMINAL_RECORD) 54 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD 55 * and marks CERTDB_VALID_PEER as deprecated. 56 * If we're using an older version, rename it ourselves. 57 */ 58 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 59 #endif 60 61 namespace mozilla_security_manager { 62 63 // Based on nsNSSCertificateDB::handleCACertDownload, minus the UI bits. 64 bool ImportCACerts(const net::CertificateList& certificates, 65 net::X509Certificate* root, 66 net::NSSCertDatabase::TrustBits trustBits, 67 net::NSSCertDatabase::ImportCertFailureList* not_imported) { 68 if (certificates.empty() || !root) 69 return false; 70 71 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); 72 if (!slot.get()) { 73 LOG(ERROR) << "Couldn't get internal key slot!"; 74 return false; 75 } 76 77 // Mozilla had some code here to check if a perm version of the cert exists 78 // already and use that, but CERT_NewTempCertificate actually does that 79 // itself, so we skip it here. 80 81 if (!CERT_IsCACert(root->os_cert_handle(), NULL)) { 82 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 83 root, net::ERR_IMPORT_CA_CERT_NOT_CA)); 84 } else if (root->os_cert_handle()->isperm) { 85 // Mozilla just returns here, but we continue in case there are other certs 86 // in the list which aren't already imported. 87 // TODO(mattm): should we set/add trust if it differs from the present 88 // settings? 89 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 90 root, net::ERR_IMPORT_CERT_ALREADY_EXISTS)); 91 } else { 92 // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported, 93 // and it doesn't take the slot as an argument either. Instead, we use 94 // PK11_ImportCert and CERT_ChangeCertTrust. 95 SECStatus srv = PK11_ImportCert( 96 slot.get(), 97 root->os_cert_handle(), 98 CK_INVALID_HANDLE, 99 net::x509_util::GetUniqueNicknameForSlot( 100 root->GetDefaultNickname(net::CA_CERT), 101 &root->os_cert_handle()->derSubject, 102 slot.get()).c_str(), 103 PR_FALSE /* includeTrust (unused) */); 104 if (srv != SECSuccess) { 105 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 106 return false; 107 } 108 if (!SetCertTrust(root, net::CA_CERT, trustBits)) 109 return false; 110 } 111 112 PRTime now = PR_Now(); 113 // Import additional delivered certificates that can be verified. 114 // This is sort of merged in from Mozilla's ImportValidCACertsInList. Mozilla 115 // uses CERT_FilterCertListByUsage to filter out non-ca certs, but we want to 116 // keep using X509Certificates, so that we can use them to build the 117 // |not_imported| result. So, we keep using our net::CertificateList and 118 // filter it ourself. 119 for (size_t i = 0; i < certificates.size(); i++) { 120 const scoped_refptr<net::X509Certificate>& cert = certificates[i]; 121 if (cert == root) { 122 // we already processed that one 123 continue; 124 } 125 126 // Mozilla uses CERT_FilterCertListByUsage(certList, certUsageAnyCA, 127 // PR_TRUE). Afaict, checking !CERT_IsCACert on each cert is equivalent. 128 if (!CERT_IsCACert(cert->os_cert_handle(), NULL)) { 129 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 130 cert, net::ERR_IMPORT_CA_CERT_NOT_CA)); 131 VLOG(1) << "skipping cert (non-ca)"; 132 continue; 133 } 134 135 if (cert->os_cert_handle()->isperm) { 136 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 137 cert, net::ERR_IMPORT_CERT_ALREADY_EXISTS)); 138 VLOG(1) << "skipping cert (perm)"; 139 continue; 140 } 141 142 if (CERT_VerifyCert(CERT_GetDefaultCertDB(), cert->os_cert_handle(), 143 PR_TRUE, certUsageVerifyCA, now, NULL, NULL) != SECSuccess) { 144 // TODO(mattm): use better error code (map PORT_GetError to an appropriate 145 // error value). (maybe make MapSecurityError or MapCertErrorToCertStatus 146 // public.) 147 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 148 cert, net::ERR_FAILED)); 149 VLOG(1) << "skipping cert (verify) " << PORT_GetError(); 150 continue; 151 } 152 153 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 154 // PK11_ImportCert instead. 155 SECStatus srv = PK11_ImportCert( 156 slot.get(), 157 cert->os_cert_handle(), 158 CK_INVALID_HANDLE, 159 net::x509_util::GetUniqueNicknameForSlot( 160 cert->GetDefaultNickname(net::CA_CERT), 161 &cert->os_cert_handle()->derSubject, 162 slot.get()).c_str(), 163 PR_FALSE /* includeTrust (unused) */); 164 if (srv != SECSuccess) { 165 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 166 // TODO(mattm): Should we bail or continue on error here? Mozilla doesn't 167 // check error code at all. 168 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 169 cert, net::ERR_IMPORT_CA_CERT_FAILED)); 170 } 171 } 172 173 // Any errors importing individual certs will be in listed in |not_imported|. 174 return true; 175 } 176 177 // Based on nsNSSCertificateDB::ImportServerCertificate. 178 bool ImportServerCert( 179 const net::CertificateList& certificates, 180 net::NSSCertDatabase::TrustBits trustBits, 181 net::NSSCertDatabase::ImportCertFailureList* not_imported) { 182 if (certificates.empty()) 183 return false; 184 185 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); 186 if (!slot.get()) { 187 LOG(ERROR) << "Couldn't get internal key slot!"; 188 return false; 189 } 190 191 for (size_t i = 0; i < certificates.size(); ++i) { 192 const scoped_refptr<net::X509Certificate>& cert = certificates[i]; 193 194 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 195 // PK11_ImportCert instead. 196 SECStatus srv = PK11_ImportCert( 197 slot.get(), 198 cert->os_cert_handle(), 199 CK_INVALID_HANDLE, 200 net::x509_util::GetUniqueNicknameForSlot( 201 cert->GetDefaultNickname(net::SERVER_CERT), 202 &cert->os_cert_handle()->derSubject, 203 slot.get()).c_str(), 204 PR_FALSE /* includeTrust (unused) */); 205 if (srv != SECSuccess) { 206 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 207 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 208 cert, net::ERR_IMPORT_SERVER_CERT_FAILED)); 209 continue; 210 } 211 } 212 213 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); 214 // TODO(mattm): Report SetCertTrust result? Putting in not_imported 215 // wouldn't quite match up since it was imported... 216 217 // Any errors importing individual certs will be in listed in |not_imported|. 218 return true; 219 } 220 221 // Based on nsNSSCertificateDB::SetCertTrust. 222 bool 223 SetCertTrust(const net::X509Certificate* cert, 224 net::CertType type, 225 net::NSSCertDatabase::TrustBits trustBits) 226 { 227 const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL | 228 net::NSSCertDatabase::DISTRUSTED_SSL; 229 const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL | 230 net::NSSCertDatabase::DISTRUSTED_EMAIL; 231 const unsigned kObjSignTrustBits = net::NSSCertDatabase::TRUSTED_OBJ_SIGN | 232 net::NSSCertDatabase::DISTRUSTED_OBJ_SIGN; 233 if ((trustBits & kSSLTrustBits) == kSSLTrustBits || 234 (trustBits & kEmailTrustBits) == kEmailTrustBits || 235 (trustBits & kObjSignTrustBits) == kObjSignTrustBits) { 236 LOG(ERROR) << "SetCertTrust called with conflicting trust bits " 237 << trustBits; 238 NOTREACHED(); 239 return false; 240 } 241 242 SECStatus srv; 243 CERTCertificate *nsscert = cert->os_cert_handle(); 244 if (type == net::CA_CERT) { 245 // Note that we start with CERTDB_VALID_CA for default trust and explicit 246 // trust, but explicitly distrusted usages will be set to 247 // CERTDB_TERMINAL_RECORD only. 248 CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA}; 249 250 if (trustBits & net::NSSCertDatabase::DISTRUSTED_SSL) 251 trust.sslFlags = CERTDB_TERMINAL_RECORD; 252 else if (trustBits & net::NSSCertDatabase::TRUSTED_SSL) 253 trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; 254 255 if (trustBits & net::NSSCertDatabase::DISTRUSTED_EMAIL) 256 trust.emailFlags = CERTDB_TERMINAL_RECORD; 257 else if (trustBits & net::NSSCertDatabase::TRUSTED_EMAIL) 258 trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; 259 260 if (trustBits & net::NSSCertDatabase::DISTRUSTED_OBJ_SIGN) 261 trust.objectSigningFlags = CERTDB_TERMINAL_RECORD; 262 else if (trustBits & net::NSSCertDatabase::TRUSTED_OBJ_SIGN) 263 trust.objectSigningFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; 264 265 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); 266 } else if (type == net::SERVER_CERT) { 267 CERTCertTrust trust = {0}; 268 // We only modify the sslFlags, so copy the other flags. 269 CERT_GetCertTrust(nsscert, &trust); 270 trust.sslFlags = 0; 271 272 if (trustBits & net::NSSCertDatabase::DISTRUSTED_SSL) 273 trust.sslFlags |= CERTDB_TERMINAL_RECORD; 274 else if (trustBits & net::NSSCertDatabase::TRUSTED_SSL) 275 trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; 276 277 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); 278 } else { 279 // ignore user and email/unknown certs 280 return true; 281 } 282 if (srv != SECSuccess) 283 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); 284 return srv == SECSuccess; 285 } 286 287 } // namespace mozilla_security_manager 288